View of Military Clouds From a High Perch

The Defense Department weighs several issues as it plans a stratospheric computing future.

The U.S. Defense Department is aggressively pursuing cloud-computing options in the midst of budget cuts and personnel reductions. Pilot programs are in place around the uniformed services, experimenting with ways to enhance efficiency while ensuring security. But leadership is not moving ahead blindly. Rather, as officials examine opportunities in the right-now buzzword of cloud, they also are striving to ensure flexibility to take advantage of the next big trend.

Though the cloud offers lower costs for computing, the cost reductions must be compared to the upfront capital required to move from the Defense Department’s current complex and dense information technology environment to the homogenous cloud. “The opportunity to save is there; the opportunity to deliver efficiencies is there; but again, as we move down this path, there is an investment that will have to be balanced against savings,” says Robert J. Carey, the deputy assistant secretary of defense (information management, integration and technology) and Defense Department deputy chief information officer (CIO). Overall, the military is examining the cloud for the benefits it can offer while allowing for the necessary security considerations. Carey explains that leaders support the cloud as long as implementers understand the business cases for the technology and its strengths and weaknesses.

In this period of reduced funding—and Carey stresses that investment dollars are tight—organizations still can obtain the money they need by demonstrating a favorable return on investment. Contractions in budget and personnel will cause people to pause more before allocating upfront money. However, when organizations show that cloud computing enables them to work effectively with fewer people, ideas make sense and gain traction. “But it all has to be really thought out, and it can’t be a whim that you’re linking cloud computing to the ability to reduce computing staff by x,” he states. “You have to really think that through, and make sure that you really understand what you’re committing to.”

Funding is only part of the concern with clouds containing military information. Carey explains that if the Defense Department were to implement a public cloud, security needs inherent in the .mil domain would need to integrate with the offering. “Right now, that’s fairly difficult to do,” he says. “I would like to be able to buy cloud services from a provider outside of the Department of Defense in the private concept, which would allow me to utilize, for example, the defenses created by U.S. Cyber Command [CYBERCOM] to wrap those around the cloud offering and then provide the right security construct.”

Another issue is command and control of such a cloud. The military needs to be able to turn services on and off and to perform critical tasks if systems come under attack. “Another tangential issue I have is to be able to reach into this cloud using Department of Defense identities, which are founded in the Common Access Cards,” Carey explains. Any cloud offering has to recognize public-key infrastructure credentials and provide access to the correct, and only the correct, information. Officials are working through the process- and engineering-related difficulties of implementing such technology for the military.

Part of the solution will come from writing the correct requirements into contracts. “I know that that’s doable, but at the same time, we actually have a fairly sophisticated security apparatus for our networks,” Carey explains. “I’m not saying that industry doesn’t have as secure [features], but at least I know I can count on the defensive mechanisms and the protections that we manage inside the Department of Defense.”

Multiple organizations within the military have embarked on their own exploratory efforts into data consolidation. “We’re trying to scratch at the various technical attributes of cloud computing, determining its long-term viability of benefits to the purported savings and efficiencies and effectiveness it is supposed to deliver,” Carey says. For example, the Army’s email migration effort basically moves the service branch into a cloud managed by the Defense Information Systems Agency (DISA). “At the end of the day, we’re expecting that we can centralize and consolidate servers into a common architecture using DISA as the anchor,” Carey explains.

Another small pilot exercises smartphones in a way that enables them to access a cloud environment that can reach into other networks. Carey explains that the effort allows the military to touch at the vision to allow warfighters access to information anywhere with whatever devices they possess. He continues to say that security is a consideration in all the pilots. “They’re testing various configurations that allow the evaluation of the security controls against the risks of having that information in the cloud,” Carey says.

Other test programs in place involve more soldiers as well as Navy, Air Force and DISA personnel. The National Security Agency (NSA) is engaged in an effort with Google Earth. In the background, Carey’s office develops cloud guidance for the department, “which is fairly difficult because we have such a diverse set of computing needs,” he says. Deciding what to put into the cloud and how is a challenge. “We do everything that a big corporation does, times 10, and on the move,” Carey states. The type of network infrastructure used in the military, coupled with classification levels and other concerns, results in a complex situation without a one-size-fits-all solution.

Carey’s office, DISA and CYBERCOM work in tandem to ensure that the transition to the cloud, along with other parts of military networks, runs smoothly. Carey and his team serve as the policy shop, making the rules and trying to enforce them. DISA is responsible for engineering solutions. “They are the brains behind the actual design and operation of these data centers,” Carey explains. CYBERCOM operates and defends the networks on which the data centers become key computing nodes. The organizations also collaborate with the military branches. Over the past couple of years, the various agencies have clarified their unique roles, though some blurring occurs especially with data centers operated by the services. “There’s going to be an integration of role clarity between DISA establishing enterprise standards, and these franchise standards for core data centers,” Carey says. “Then hopefully we’ll be able to give them what I’ll call the Good Housekeeping Seal of Computing.”

In addition, the military works closely with civilian government agencies, including the intelligence community, the Federal CIO Council, the Department of Homeland Security and the General Services Administration (GSA). “Everyone is after this holy grail in cloud,” he explains. One of the largest initiatives is the Federal Risk and Authorization Management Program (FedRAMP), introduced by the council, to provide a standard approach to assessing and authorizing cloud computing services and products. CIOs from GSA and the departments of Homeland Security and Defense make up the Joint Authorization Board that issues provisional approvals for cloud systems. Their stamp of approval means they have validated and vetted a technology and others can use it. “We will be a major player throughout that process,” Carey says. “We have a vote in establishing the minimum thresholds, and based on our own information, we can decide that we want to invest in more controls or a greater level of controls to afford ourselves our own internal Defense Department comfort factors with the computing that maybe industry or our own selves bring.”

The private sector is a major partner in the military’s cloud computing journey. “There’s nothing inside of a Defense Department data center that didn’t start out in industry,” Carey states. He adds that industry has a great deal of opportunity to help the military in this space. As officials decide on specifications for data centers, the key will be ensuring that network defenders can protect information in the manner they deem best, whether the hosting is done by the government or through a vendor.

Carey says industry especially can assist with end-state challenges. “We’re jumping into the cloud pool very deliberately because we have to get security right,” he explains. “We’re not comfortable yet that the security provisions are squared away.” As FedRAMP moves forward, the military seeks to ensure that boundary conditions, firewalls and protections built internally are applicable and can be managed consistently wherever it decides to go with cloud computing. “Industry needs to understand our world and then apply it back to their world,” Carey says. “They also can contribute to things we need that would help us manage the data centers we have better.”

The military is consolidating its data centers, with its various groups targeting a 75 percent reduction. Overall, the Defense Department claims 772 centers, according to Carey. As facilities close, personnel aim to optimize hardware and servers through virtualization and other technologies. The goal is to increase capacity from about 15 percent in current centers to between 60 and 75 percent. “It’s a little bit of a delicate dance trying to shrink while plowing stuff into a consistent network computing architecture that we would call the franchises and then making sure they’re running as properly tuned engines,” Carey says.

Establishing core data centers that are more standardized enables the military to command and control the network and secure it better. It also provides a consistent environment to develop applications that would be less expensive to operate and maintain in the long run and for warfighters to access and discover information.

Another attractive point of the cloud is its ability to enable a mobile work force. The military is interested in that for several reasons, including flexibility and being able to tie identities to information regardless of network or access point. “The cloud environment provides the opportunity for our work force, uniformed or civilian, to engage this vast information enterprise we have in a completely different manner than we’re doing it today,” Carey explains. “No longer do I have to be sitting at my desk here in the Pentagon. I can be wherever I want to be, and that’s really powerful, and it’s very effective and efficient unto itself.”

Even as the Defense Department aggressively pursues the cloud, Carey and his partners are mindful that in a few years, new technologies may become more important. “We talk about what the computing environment is going to look like in three to four years,” he explains. “I will bet you ... that there will be changes in what we imagine the computing environment will look like in 2015. As big as we are, we have to think about the long-term consequences.”